Researchers disclosed a critical security vulnerability, tracked as CVE-2024-38206 (CVSS score: 8.5), impacting Microsoft’s Copilot Studio. An attacker can exploit the vulnerability to access sensitive information.<\/p>\n\n\n\n
The flaw is an information disclosure vulnerability resulting from a server-side request forgery (SSRF) attack.<\/p>\n\n\n\n
“An authenticated attacker can bypass Server-Side Request Forgery (SSRF) protection in Microsoft Copilot Studio to leak sensitive information over a network.” reads the advisory<\/strong><\/a> published by Microsoft.<\/em><\/p>\n\n\n\n
The vulnerability was reported by the cybersecurity researcher Evan Grant<\/a>\u00a0from\u00a0Tenable<\/a>.<\/p>\n\n\n\n
“we take a look at a server-side request forgery (SSRF) vulnerability in Copilot Studio that leveraged Copilot\u2019s ability to make external web requests. Combined with a useful SSRF protection bypass, we used this flaw to get access to Microsoft\u2019s internal infrastructure for Copilot Studio, including the Instance Metadata Service (IMDS) and internal Cosmos DB instances.” reads the report<\/strong><\/a> published by Grant.<\/em><\/p>\n\n\n\n
“We tested this from multiple tenants and confirmed that, while no cross-tenant information appeared immediately accessible, the infrastructure used for this Copilot Studio service was shared among tenants. Any impact on that infrastructure could affect multiple customers. While we don\u2019t know the extent of the impact that having read\/write access to this infrastructure could have, it\u2019s clear that because it\u2019s shared among tenants, the risk is magnified.” concludes the report<\/strong><\/a> published by Tenable. “We also determined we could access other internal hosts, unrestricted, on the local subnet to which our instance belonged (10.0.x.0\/24).”<\/em><\/p>\n\n\n\n
Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/strong><\/a><\/p>\n\n\n\n
Pierluigi Paganini<\/strong><\/a><\/p>\n\n\n\n
(<\/strong>SecurityAffairs<\/strong><\/a>\u00a0\u2013<\/strong>\u00a0hacking, Copilot Studio)<\/strong>